Human Rights and Export Controls Due Diligence

In both the EU and the US, there has been a growing expectation that exporters account for the potential human rights impact of their export transactions. As part of this development, the 2021 recast of the EU Dual-Use Regulation[1] introduced a more human rights-oriented approach to export controls, raising some particular challenges for organizations manufacturing and trading dual-use items, including recurring questions surrounding the exact scope of due diligence requirements. The outcomes of the recently started EU interinstitutional negotiations on the Corporate Sustainability Due Diligence Directive (CSDD) may shed some further light on such requirements. 

THIS ARTICLE IS WRITTEN BY HERMAN ANNINK AND GIDION LONT. HERMAN ([email protected]) AND GIDION ([email protected]) HAS A STRONG FOCUS INTERNATIONAL TRADE COMPLIANCE & SANCTIONS AND RESPECTIVELY ESG AND SUSTAINABILITY WITHIN RSM NETHERLANDS BUSINESS CONSULTING SERVICES AND.  

In 2016, the European Commission set out to contribute to the protection of human rights globally through its proposal for updated export control regulations, in particular through provisions relating to the control of cyber-surveillance technologies. The novelty of these cyber-surveillance controls fully introduced in 2021 lays in its non-technical approach as well as in the justification for applying these export controls. Organizations were now required to take a different approach to the classification of covered items and technology, and to also assess risks differently. What’s more, as the expectations for supply chain due diligence requirements are increasing across the board, some organizations are struggling to define what this means in light of EU dual-use export controls. This article will briefly introduce this human rights-oriented approach to EU export controls and the related challenges, before specifically looking at the due diligence requirements in light of the developments surrounding the CSDD.

Human Right Considerations – The old and the new

Despite the recent debates and the changes regarding the role of human rights in export controls, EU member states already had an obligation to take human rights into consideration in their licensing decision for well over a decade. In particular, member states were already required to deny export licenses if goods might be ‘used for internal repression’ or ‘serious violations of international humanitarian law’. However, previously such considerations were applied to items classified according to detailed technical specifications, which were primarily being controlled for reasons of (inter)national security and non-proliferation. Now, with the introduction of the controls on non-listed cyber-surveillance items, human right considerations have become a primary justification for certain export controls.

A recent article by the Amsterdam University Institute for Information Law (IVIR) has highlighted some of the challenges related to applying human rights logic to export controls.[2] It particularly drew attention to the fact that the regulatory framework for cybersurveillance items focuses on the function of such items as opposed to its technical specification. For exporters, this requires a different approach to the classification of such items. Moreover, whereas technical specifications are mostly fixed, the function of an item can be rather flexible, especially in case of digital technologies. This makes it particularly challenging to determine if something is a cyber-surveillance item, defined under the EU dual-use regulation as an item ‘specially designed to enable the covert surveillance’. 

EU Dual-Use Regulation 2021/821 – Due Diligence Requirements

A second challenge for exporters is to determine whether or not their products may be used in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law. The current EU dual-use regulation implies a due diligence requirement for exporters of cybersurveillance items. If an exporter is aware of mentioned human rights violations in relation to a proposed export of cyber surveillance items, ‘according to its due diligence findings’, it should notify the competent authority. 

For other non-listed dual-use items the catch-all controls in the Directive also require exporters to notify the competent authorities if they ‘are aware’ of certain specified end-uses. Member states may expand this requirement by lowering the threshold for notification to where the exporter ‘has ground for suspecting’ certain specified end-uses, as was done by the Netherlands. Although the Regulation doesn’t impose a due diligence requirement on exporters, the Dutch government has indicated that it considers these controls in light of the UN Guiding Principles on Business and Human Rights and the OECD Due Diligence Guidance for Responsible Business Conduct, thereby expecting companies to identify, mitigate, prevent and mitigate risks to people and the environment in the value chain through a process of due diligence, also with regard to dual-use export controls. 

The EU Corporate Sustainability Due Diligence Directive (CSDD)

On 23 February 2022, the European Commission introduced the Corporate Sustainability Due Diligence (CSDD) directive proposal, aiming to establish regulations on due diligence obligations and civil liability for businesses within the European Union. Among other things, the proposal seeks to avoid fragmentation and provide legal certainty. While member states reached a political agreement in December on a general approach that exempts certain products subject to export control, the European Parliamentary Commission on Development suggested including the manufacture and trade of weapons, ammunition, and dual-use items as high-impact sectors under the CSDD. The adopted propositions by the European Parliament, however, do not mention export controls, leaving the outcome of interinstitutional negotiations on this matter uncertain.

Concluding remarks

Companies already conducting human rights and environmental due diligence on the basis of the existing voluntary frameworks, should take care to consider how to fit dual-use export controls into their due diligence activities, if not already included. What’s more, once the CSDD has found its final form certain due diligence requirement will become mandatory, making the previous question relevant for all organizations covered by the CSDD, unless dual-use export controls will be excluded in the final version. Finally, the current EU dual-use regulation already implies a due diligence requirement for exporters of cybersurveillance items. The IVIR article on cybersurveillance items analysed three selected technologies to identify such items under the dual-use regulation. It pointed out that all three – location tracking devices, open-source intelligence software, and facial and emotion recognition technologies – could potentially be considered cybersurveillance items depending on the specific situation. Companies exporting technologies that might be considered cybersurveillance items under the dual-use regulation are advised to determine if they indeed are. If so, the challenge will be to determine the potential human rights impacts of such exports as part of their due diligence process.